Create a strong, secure online password

Editor’s note: Raechelle Clemmons of St. Norbert College writes a monthly column for the Business section of Press-Gazette Media. In light of the recent breach of 1.2 billion passwords, we have re-posted her column from April 23 on creating passwords.

The other day I was asked, “How secure is (a well-known social collaboration website)?” I think my answer surprised the person who asked, and it may surprise you.

While reputable online service providers like the one in question typically have very good security systems in place, in many cases the security for your data — documents, files and personal information — is only as good as your password. And that may not be as secure as you think.

Knowing the importance of a good password, IT professionals online and off require users to create passwords that meet specific standards and criteria. Usually this means a password that is a minimum length and includes a combination of upper and lowercase letters, numbers and/or special characters. Even still, some of the most common passwords in 2013 were ones like “123456” and “password.” If you happen to have one of these as your password, do not finish reading this article. For your own protection, please go change it. Now.

Remembering a complex password can be difficult, so why do IT departments require passwords be a certain length and structure? I can assure you that it is not to make your life more difficult. Or just for fun. It’s because IT professionals know how incredibly easy it is to hack passwords. Using the processing power in a typical computer — like the one that you may be using in your office or house — a hacker can try millions and often billions of password combinations in a minute. With that type of power, a six-digit alphanumeric password — one that contains lowercase letters and numbers only — can be hacked in seconds.

Consider the math behind a password. If you have a six-character password and only use lowercase letters, there are 26 possible letters for each of the six characters (e.g., 26 x 26 x 26 x 26 x 26 x 26). That’s 308 million possible combinations, all of which can be run within a matter of minutes using a typical computer!

Add in numbers 0-9, and the options for each character jump to 36. Uppercase letters increase this to 62, and by adding in common special characters, the total possible options for each character in the password increase to between 90 and 100 (depending on the type of special characters and punctuation allowed).

This increases the total possible combinations from 266 to 906 — or from 308 million to approximately 531 billion possible combinations. Extend your password length to nine characters (909) and you will now have 387 quadrillion possible password combinations — that’s 387 with 15 zeros after it. As you can see, length and complexity matter.

While virtually no password is foolproof, there are some strategies that we recommend for creating strong and secure passwords. While you should steer clear of common dictionary words (e.g., dog, cat, love, friend, etc.), selecting an uncommon, long word and interspersing it with random numbers and characters can be quite effective. Consider an 11-character word like “synergistic,” add random capitalization and a few characters, and your password might be “syNer%$gis3tic.”

You can use patterns to remember how you’ve applied the special formatting; for this one I capitalized the last letter in the first syllable, added in predetermined characters after the second syllable, and added in a favorite number after the third character.

A potentially easier but equally effective strategy is to take a phrase or quote that is meaningful to you, and convert that to a password. Take, for example, the common expression “Do unto others as you would have them do unto you.” Take the first letter of each word in the phrase, like “duoaywhtduy,” add capitalization in a predetermined spot (e.g., the third and sixth letters), “duOayWhtduy,” change the “a” to an “@” sign, and add your favorite special character at the end, for your new password: “duO@yWhtduy#.” Voila.

Regardless of your method for picking a password, most experts agree that you should use unique passwords for every site, or absent that, at least use a different password for your sensitive sites (like banking, for example) than you do for less important sites, like social networks.

If all of this seems really complicated, there are password management tools like KeePass, LastPass or mSecure that can help. These tools can create and store lengthy, unique passwords for each site you log into. All you need to do is remember one, very secure password for the software, and the password manager takes care of the rest.

Raechelle Clemmons is vice president and chief information officer at St. Norbert College. She can be reached at raechelle.clemmons@snc.edu. You can also follow her on twitter @rclemmons.